Sex, software, politics, and firearms. Life's simple pleasures…

Main menu

Post navigation

Spam alert

Yes, I’m aware of the spam on the blog front page. The management does not hawk dubious drugs.

Daniel Franke and I just did an audit and re-secure of the blog last night, so this is a new attack. Looks like a different vector; previously the spam was edited into the posts and invisible, this time it’s only in the front-page display and visible.

It’s a fresh instance of WordPress verified against pristine sources less than 24 hours ago, all permissions checked. Accordingly, this may be a zero-day attack.

Daniel and I will tackle it later tonight after his dinner and my kung-fu class. I’ll update this post with news.

UPDATE: The initial spam has been removed. We don’t know where the hole is, though, so more may appear.

UPDATE2: It’s now about 6 hours later and spam has not reappeared. I changed my blog password for a stronger one, so one theory is that the bad guys were running a really good dictionary cracker.

>Eric, have you considered moving to a blogging system written in a language you prefer

Yes. There are practical difficulties. Like (a) getting ibiblio to host it, and (b) moving my existing posts to it. The latter has a complication: I’d need the post permalinks to be the same. Can any of these handle that?

I noticed that your blog does not use “permalink” style urls, rather it uses the parameter in the HTTP GET vars.

I suspect replicating this behaviour will mean that you need to not only ensure that your blog posts are transferred over to a new db, but the new db maps the primary key IDs of the older database to the newer one.

I think that would be a big roadblock.

Considering the popularity of your blog you’d need to write a script that does HTTP 301 redirects to the new URL scheme from the old one. That would involve the tedious process of mapping out each primary key ID to the title of your post (or whatever scheme you use in the new blog software).

Eric and I keep missing each other on IRC. The dictionary attack hypothesis will be easy to confirm or disconfirm once we’ve had a look at the Apache logs. If that’s how the spammer got in, though, then Eric must have chosen a significantly weaker password when he rotated it a month ago, because I spent several hours trying to crack his old password hash on a GPU, without success.

As Eric notes, I’ve verified his WordPress tree against pristine upstream sources, not just the base WordPress installation but also the plugins and themes, and verified that everything in his uploads directory is harmless and belongs there. I’ve gone through his database looking for stored XSS and rogue accounts with elevated privileges and come up empty. We’ve rotated the cookie auth keys, and Cathy (who has edit privileges) has rotated her password too.

I’m generally very reluctant to cry “0day!” until I’m certain I’ve ruled everything else out, but we’re rapidly approaching the point where we’re down to either that or infrastructure compromise.

It would really be mapping the ID column in the posts table with the post_id value in the postmeta table and mapping the comments to the correct posts. I’m not as familiar with the comments and the commentsmeta tables in the WordPress database.

I would see the big issue is losing the 10.000 man hour head start when moving to a different CMS.

URL compatibility is not the big obstacle to ditching WordPress. The obstacle is finding something better to replace it with. My usual advice to those who ask me about this is to use a static site generator like Octopress, but a static site means no comment support. Having an active comment community, and, especially, dealing with comment spam, drives the essential complexity of the problem way up and puts you back in the league of a full-fledged CMS. The trouble is, I don’t know of any full-fledged CMS that isn’t a PHP hellswamp, the securing of which apparently escapes the combined wits of a professional security researcher and a Great Old One.

There are other CMS systems in different languages, but it’s tough to beat the WordPress eco system of plugins and extensibility. Don’t discount the value of active development and the scale of development community.